设置Catalog RBAC
Provider 提供细粒度控制,确保每个用户只能看到目录中与他们相关的部分。
Port Catalog RBAC 功能由 Port 的permissions controls 启用。
要管理谁可以查看 Port 中的哪些页面,请查看page permissions 。
💡 常用软件目录 RBAC Usage
例如,Catalog RBAC 允许管理员精细控制哪些用户可以访问目录中的哪些信息:
- 只向开发人员显示他们拥有的服务;
- 允许用户只编辑实体的特定属性;
- 为开发人员创建完全只读的视图;
- 等等。
设置目录数据的全局访问控制
创建时分配给每个蓝图的默认权限规定,具有管理员角色的用户和具有特定蓝图主持人角色的用户可以对蓝图执行任何操作。
还可以为实体分配全局权限控制:
- Create (register)
- Update
- Delete (unregister)
要分配创建实体的权限,请在 "注册 "对象下赋予所需的角色权限,如下所示:
- Role
- User
- Team
- Ownership
要将 create 权限赋予另一个角色,请将其添加到 roles 数组中:
{
"entities": {
... other permissions
"register": {
"roles": ["my-blueprint-moderator", "Admin", "my-role"], // added my-role
"users": [],
"teams": [],
"ownedByTeam": false
}
}
}
要将 create 权限赋予另一个用户,请将其添加到 users 数组中:
{
"entities": {
... other permissions
"register": {
"roles": ["my-blueprint-moderator", "Admin"],
"users": ["[email protected]"], // added [email protected]
"teams": [],
"ownedByTeam": false
}
}
}
要向另一个团队授予 "创建 "权限,请将其添加到 "团队 "数组中:
{
"entities": {
... other permissions
"register": {
"roles": ["my-blueprint-moderator", "Admin"],
"users": [],
"teams": ["my-team"], // added my-team
"ownedByTeam": false
}
}
}
Teams can be assigned to entities, denoting the team's ownership of the entity.
要向实体的拥有团队成员授予 create 权限,请更改 ownedByTeam 键:
{
"entities": {
... other permissions
"register": {
"roles": ["my-blueprint-moderator", "Admin"],
"users": [],
"teams": [],
"ownedByTeam": true // changed from false
}
}
}
要分配更新实体的权限,请在 "更新 "对象下赋予所需的角色权限,如下所示:
- Role
- User
- Team
- Ownership
要将 update 权限赋予另一个角色,请将其添加到 roles 数组中:
{
"entities": {
... other permissions
"update": {
"roles": ["my-blueprint-moderator", "Admin", "my-role"], // added my-role
"users": [],
"teams": [],
"ownedByTeam": false
}
}
}
要将 update 权限赋予另一个用户,请将其添加到 users 数组中:
{
"entities": {
... other permissions
"update": {
"roles": ["my-blueprint-moderator", "Admin"],
"users": ["[email protected]"], // added [email protected]
"teams": [],
"ownedByTeam": false
}
}
}
要向另一个团队授予 "更新 "权限,请将其添加到 "团队 "数组中:
{
"entities": {
... other permissions
"update": {
"roles": ["my-blueprint-moderator", "Admin"],
"users": [],
"teams": ["my-team"], // added my-team
"ownedByTeam": false
}
}
}
Teams can be assigned to entities, denoting the team's ownership of the entity.
要向实体的拥有团队成员授予 update 权限,请更改 ownedByTeam 键:
{
"entities": {
... other permissions
"update": {
"roles": ["my-blueprint-moderator", "Admin"],
"users": [],
"teams": [],
"ownedByTeam": true // changed from false
}
}
}
要分配删除实体的权限,请在 delete 对象下赋予所需的角色权限,如下所示:
- Role
- User
- Team
- Ownership
要将 delete 权限赋予另一个角色,请将其添加到 roles 数组中:
{
"entities": {
... other permissions
"unregister": {
"roles": ["my-blueprint-moderator", "Admin", "my-role"], // added my-role
"users": [],
"teams": [],
"ownedByTeam": false
}
}
}
要将 delete 权限赋予另一个用户,请将其添加到 users 数组中:
{
"entities": {
... other permissions
"unregister": {
"roles": ["my-blueprint-moderator", "Admin"],
"users": ["[email protected]"], // added [email protected]
"teams": [],
"ownedByTeam": false
}
}
}
要向另一个团队授予 "删除 "权限,请将其添加到 "团队 "数组中:
{
"entities": {
... other permissions
"unregister": {
"roles": ["my-blueprint-moderator", "Admin"],
"users": [],
"teams": ["my-team"], // added my-team
"ownedByTeam": false
}
}
}
Teams can be assigned to entities, denoting the team's ownership of the entity.
要向实体的拥有团队成员授予 "删除 "权限,请更改 "ownedByTeam "键:
{
"entities": {
... other permissions
"unregister": {
"roles": ["my-blueprint-moderator", "Admin"],
"users": [],
"teams": [],
"ownedByTeam": true // changed from false
}
}
}
设置目录数据的细粒度访问控制
还可以为实体分配更细粒度的权限控制:
- Update specific property
- 更新特定��关系
要分配更新特定实体属性的权限,请在 updateProperties -> propertyName 对象下赋予所需的角色权限,如下所示:
- Role
- User
- Team
- Ownership
要将属性 update 权限赋予另一个角色,请将其添加到 roles 数组中:
{
"entities": {
... other permissions
"updateProperties": {
"myProperty": {
"roles": ["my-blueprint-moderator", "Admin", "my-role"], // added my-role
"users": [],
"teams": [],
"ownedByTeam": false
}
}
}
}
要将属性 update 权限赋予另一个用户,请将其添加到 users 数组中:
{
"entities": {
... other permissions
"updateProperties": {
"myProperty": {
"roles": ["my-blueprint-moderator", "Admin"],
"users": ["[email protected]"], // added [email protected]
"teams": [],
"ownedByTeam": false
}
}
}
}
要将属性 update 权限赋予另一个团队,请将其添加到 teams 数组中:
{
"entities": {
... other permissions
"updateProperties": {
"myProperty": {
"roles": ["my-blueprint-moderator", "Admin"],
"users": [],
"teams": ["my-team"], // added my-team
"ownedByTeam": false
}
}
}
}
Teams can be assigned to entities, denoting the team's ownership of the entity.
要向实体的拥有团队成员授予属性 update 权限,请更改 ownedByTeam 键:
{
"entities": {
... other permissions
"updateProperties": {
"myProperty": {
"roles": ["my-blueprint-moderator", "Admin"],
"users": [],
"teams": [],
"ownedByTeam": true // changed from false
}
}
}
}
要分配更新特定实体关系的权限,请在 updateRelations -> relationName 对象下赋予所需的角色权限,如下所示:
- Role
- User
- Team
- Ownership
要将关系 update 权限赋予另一个角色,请将其添加到 roles 数组中:
{
"entities": {
... other permissions
"updateRelations": {
"myRelation": {
"roles": ["my-blueprint-moderator", "Admin", "my-role"], // added my-role
"users": [],
"teams": [],
"ownedByTeam": false
}
}
}
}
要将关系 update 权限赋予另一个用户,请将其添加到 users 数组中:
{
"entities": {
... other permissions
"updateRelations": {
"myRelation": {
"roles": ["my-blueprint-moderator", "Admin"],
"users": ["[email protected]"], // added [email protected]
"teams": [],
"ownedByTeam": false
}
}
}
}
要将关系 update 权限赋予另一个团队,请将其添加到 teams 数组中:
{
"entities": {
... other permissions
"updateRelations": {
"myRelation": {
"roles": ["my-blueprint-moderator", "Admin"],
"users": [],
"teams": ["my-team"], // added my-team
"ownedByTeam": false
}
}
}
}
Teams can be assigned to entities, denoting the team's ownership of the entity.
要向实体的拥有团队成员授予关系 update 权限,请更改 ownedByTeam 键:
{
"entities": {
... other permissions
"updateRelations": {
"myRelation": {
"roles": ["my-blueprint-moderator", "Admin"],
"users": [],
"teams": [],
"ownedByTeam": true // changed from false
}
}
}
}
软件目录 RBAC 示例
有关 Port RBAC 的实际示例,请参阅examples 页面。
FAQ
由于目录 RBAC 可以非常细化,在某些情况下,可能并不完全清楚由此分配的权限会做什么,本部分旨在提供一些实际例子以及在这些情况下 Provider 的 RBAC 的行为:
如果用户没有权限编辑蓝图的必填属性,会发生什么情况?
在这种情况下,用户将无法注册或更新整个实体,因为他们无法为所需属性提供值;
如果实体注册启用了 ownedByTeam 设置,但用户无法编辑 team 属性,会发生什么情况?
在这种情况下,用户将无法注册新实体,因为他们无法为实体的团队字段选择一个值,并将其标记为自己团队所有。